Ability to use SSL CN / SAN as host header with http request

[0xAwali]

Let's Assume I'm Trying To Scan https://www.facebook.com So Firstly Nuclei Will Do TLS-Handshake To Transmit Data Into Secure Communication , And Nuclei While Doing TLS-Handshake Its Will Get Server Certificate That Contains Subject Alternative Name e.g. For https://www.facebook.com Will Get

*.facebook.com
*.facebook.net
*.fbcdn.net
......

So Why Not , Make Nuclei Parse These SAN And Use It As Host Headers e.g. If My Template

id: 0x00

info:
  name: Demo
  author: 0xAwali
  severity: info
requests:
  - raw:
    - |
      GET / HTTP/1.1
      Host: {{TLS-SAN}}
      Connection: keep-alive
      
    matchers:
      - type: word
        words:
          - 'Fingerprint-Here'

So Nuclei Will Send Number Of Requests Based On Number Of The SAN E.g.

 GET / HTTP/1.1
 Host: facebook.com
 Connection: keep-alive

 GET / HTTP/1.1
 Host: facebook.net
 Connection: keep-alive

You Can Add Option To Get Replacement Of Wildcard e.g. TLS-Wildcard

Actually I Faced This Scenario A Lot And Found A Lot Of Hostnames Doesn't Access Directly But If I Add Them As Host Header , I Can Access Them

[geeknik]

That is a great suggestion, however we aren’t sure Nuclei needs this extra layer. For example, using httpx -tls-probe -tls-grab -csp-probe handles this exact scenario before nuclei starts, which means you can pre-process the data however you want. Asking nuclei to handle this step would take control away from you in our opinion.

Our workflow runs something like:
subfinder -> dnsx -> naabu-> httpx-> nuclei

In the end, nuclei gets the maximum number of hosts and ports to check. 🤙🏻

[0xAwali]

Yah I Know I Can Use httpx To Get SAN , Wishing One Day This Feature Come With Nuclei

[geeknik]

Sure, not saying it won’t, just offering up an opinion. 🤙🏻

[ehsandeep]

@0xAwali with nuclei we wanted to support features that are user-controlled and customizable, with that said, this will be possible to achieve with nuclei once we complete the work on #1066 and #1047, SSL support let you extract values of your interest and Value sharing between cross template PR let you place those extracted values from SSL template to HTTP template to make HTTP requests :)